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(57) Abstract 

A method awl wpajaiusfof storing general (or Don conlktemiaJ) awl medical (or other conlkte^ 
card 10 providt ooiHncdical or imauihoriied pcisoro to access the genual infonnatioo while pieveming access to the ff»^*cal utf^ 
The method authewicates medical piofessionab usi^^ 

btkmgs to a medical professiowl. awl ibt mediod also audtenticates an optional medcalpioliw 
to the medical iafom»tion stoied on a smart caid. Depewling on die lype of inedical professional (or^r aufl^^ 
accessing die smwt card, various leveJs of access are given to die canl. B)r exan^ doctors are aodionaed to lead ™;*^J?*°'™ 
history informatkm and piescfiption inforroaiion. while phamucisis ait blocked from reading and writing medical h«tory |^ 
are ftmher limited to leading and erasing prescription information witfwot being able to write new prescription •^f^JJ^.fT 
emerxmcv medical professionals can access a ponim of die medical informadon needed to administer medical scrvicea {u^ Wood type 



and midical condkionsX The general information is available to odier service pr(»v»deis to ease in receiving senriccs (e^ reading name 
and addrtts for immtgiation services, car and hotel rental). 
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TTTt.p OF T HE TNVEWTIOM 

SECURE PERSONAL IMFORMATION CARD 
AMD METHOD OF USING THE SAKE 

RivrKCPQITWD OF THE INVENTIQI! 
^ ^ feld of i-^^fe Invention; 

This invention relates to the creation and use of a 
secxire personal infonnation card to store general information 
and to store medical information separately from the general 
information. 

Description of the Baclcaround : 

Currently, in order to provide medical history 
information (i.e., known allergies, blood type, current 
prescriptions, medical conditions) about a patient to doctors 
in several locations, patient information is centralized in a 
computer database to which doctors can request access, usually 
by telephone. This system is advantageous in its ability to 
allow doctors and emergency medical professionals to quickly 
acczess medical information concerning a patient with whom they 
are unfamiliar. However, because the access is by phone, the 
confidential patient information can be compromised by 
computer intruders, often known as hackers. Due to the 
importance and confidentiality of medical information, 
reliable but decentralized control of the information is 
needed. 
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s«rt era. .r. curr.ntxy «in, u«d in a s„i« of 
appliCions throughout united St«« Europ.. S«rt 

4r«— ,«- For example. Bull of 
cards are ««n.factur«. in various torM. For e p , 

„anca «n.fact«r» th. seoTtxx, s«les ot cards, includih, 
«.e sear 30. ... i" an- xooo cards. c«plus also »x.s 

.<.«.^««>-hased smart cards for GSM 
several series of microprocessor basea sm 

li A <5IM2. SIM3, GemXplore 3K, 
mobile coMunication systems (i.e.. SIM2, sxn 

^ *^rt« li e PCOS, MPC0S16K, MPCOS24K, 
GemXplore 8K) , payment cards li.c. pcu 

and .ulti-purpos. cards ,i.... MCOS»K. MPC0SX6.. 
„POOS»K. HPCOS«K,. G«n.lus provides a software d.velcp.«.t 
Kit to aid in the cr«itlon of applications using these 
^croprocessor-hased s^rt cards. So- llcroprocessor card. 
.IS. opti«»Uy provide cryptographic sche«s based on tb. 

^ , oES card customization to 

rata Encryption standard algorith». OES. car 

additional f«K:ti«naUty to h. added to the snart cards 
.„d a .ulti-purpos. Chip operating sy.t«l. 0."i^» «> 
«her encryption/decryption algorithm can he found in APPUED 

C«yPIOG«»m= .ROIOCOLS. AIXMRITHMS ««. SOURCE CODE IH C. by 

Bruce schneier. and published by aohn «il«r ' sons. 19.4, 
Which is incorporate, herein by reference. Additionally, 
cplus «X.. a series of Products, including 

CEMPLOS rree-.cc.ss «e.ory Card. («F«), CEHPUIS Prot.ct«i 
He«ry cards (GPH, and GE«PU.S Authenticated M««.ry cards 
(<3AK). 

I„ rrance, s»rt cards are us«i to provide a -chanxsm 
f„ ^rchasin, telephone -units- consu«d by telephone usage. 
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as would be available through the GPM cards. Purther»ore, 
sioart cards have been described, as in «.S. Patent 4,874,935 
to Tho-as L. Younger, wherein the s-art card stores 
personalized information which can be read and written. 
Additionally, the connection, electrical, co«»unication and 
other specifications for smart cards are set forth in 
international Standards Organizations' publications ISO 7816-1 
through ISO 7816-5. The disclosures of Younger and ISO 7816-1 
to ISO 7816-5 are incorporated herein by reference. Known 

systems such as Younger fail to provide a method for 
partitioning information on the smart card so that some 
information is available to all requestors while other 
information (e.g., medical history information) is available 
only to authorized users authenticated using a second smart 
card. 

SUMMARY tm iN VomON 
It is an Object of the present invention to overcome the 

foregoing deficiencies. 

It is another object of the present invention to provide 
a method of storing, on a smart card, general information 
separately from medical information. 

It is a further object of the present invention to 
provide a method of authenticating that a medical professional 
(or other authorized person) is requesting access to medical 
information, and blocking access to the medical data if a 
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.edical professional is not authenticated as requesting access 
to the medical information, while providing access to the 
medical infonnation when a medical professional is 
authenticated* 

It is another object of the present invention to provide 
a method for storing general information on a smart card in 
unencrypted form and storing medical information on the same 
smart card in encrypted form. 

It is a further object of the present invention to 
provide a method for storing general information on a smart 
card in encrypted form using one Key and storing medical 
information on the same smart card by encrypting the medical 
information with a Xey different than the Key used to encrypt 
the general information. 

It is yet another object of the present invention to 
provide a method for reading the general user information by 
«>n-»edical personnel while blocking the reading of medical 
infonnation* 

It is a still further object of the present invention to 
allow reading of both general information and medical 
information by medical personnel. 

It is yet another object of the present invention to 
provide limited types of access to medical information stored 
on a smart card by authenticating the type of medical 
professional requesting access to the card and providing 
either no access rights to the medical information, at least 
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one of read, write, update and clear rights for part of the 
»edical infonmition, or at least one of read, write, update 
and clear rights for all of the medical inforaation. 

It is a further object of the present invention to 
provide a method for visually and magnetically relating a 
person to information stored on a smart card by using a method 
of printing a user picture on a smart card, recording 
information on a magnetic strip on the smart card and 
encrypting medical information on the smart card differently 
than other general information stored on the smart card. 

The above and additional objects and advantages are 
achieved according to the present invention which includes 
storing general information on a first smart card,, storing 
■edical information onto the first smart card separately fro» 
the general information, inserting the first smart card into a 
first smart card reader, inserting a second smart card into a 
second smart card reader, authenticating the second smart card 
inserted into the smart card reader as a medical personnel's 
smart card, and detecting whether a medical personnel's smart 
card was authenticated. Access to the medical information 
stored on the first smart card is blocked if a medical 
personnel's smart card is not authenticated as being inserted 
in the second smart card reader, while access is permitted to 
a portion of the medical data based on a type of inserted 
medical professional's smart card when a medical 
professional's smart card has been authenticated upon 
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insertion into a s.co«. c«d reader. Opon proper 

.„U,enti=acicn. at least on. of readin, «dlcal in,or«tlo«, 
^.tin, -dicai indorsation and eraain, «dical ln.or»tlon 
the firt s«rt card are per^tted usin, the provided 



access. 



^ „re co^Xte appreciation of the invention «ny of 
attends* .dvanta,es thereof -ill he readily ohtained a. 
^ ea« heco... h.tt«: u«..r.tood hy reference to the 
,„Xlovin, detailed deecription. when coneidered in connection 
with the aecoapanying drawings, wherein: 

M^e lA is a sche«tic of on. «bodi«nt of a s»rt 
cart «tlli««» according to the present lnv«.tion, 

Mgur. IB is a sch«-tic of a s«»nd e-»di-ent of a 
eeart card utiUz«. according to th. pr~ent invention, 

figure ic is a sch—tic showing the reverse .id. of a 
^ card according to the first and s.coM e-»di.ents of 
^ cards to h. used according to th. present invention; 

rlgur. 2 is a sch«.tlc of a coepoter syste. attached to 
a s»rt card r.«^r. with the coepoter syste. perfocin, a 
nthod of the present invention j 

Figure 3 is a sch.«tlc of a scr«n for inputting the 
personal infon-tion to he stor«. on a s»rt card according to 
the present invention; 
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Figure 4 is a flowchart showing a general method of 

#.»i^r) according to the present 
programming and using a smart card accoraxn^ 

invention; 

Figure 5 is a schematic of a screen for inputting the • 
^ical information according to the present invention,- 

Figure 6A is a schematic of a first access rights table 
to determine the type of access that is allowed to a first 
smart card based on a supplied PIH; 

Figure 6B is a schematic of a second access rights table 
to determine the type of access that is allowed to a first 
SBart card based on a supplied PIH; 

Figure 6C is a schematic of a third access rights table 
to determine the type of access that is allowed to a first 
saart card based on a supplied PIM? 

Figure 7 is a flowchart depicting a method of programming 
and using a smart card according to another embodiment of the 

present invention; 

Figure 8 is a schematic of a screen for inputting 
i«.igration information according to the present invention; 

Figure 9 is a schematic of a screen for inputting hotel 
register information according to the present invention; 

Figure 10 is a schematic of a screen for inputting car 
rental information according to the present invention; 

Figure llA is a flowchart depicting three types of access 
allowed to the smart card; 
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Figure llB is a flowchart showing five additional types 
of access allowed to the smart card of the present invention; 
and 

Figure 12 is a schematic showing a telephone adapted to 
receive a snart card with a magnetic strip. 

ni^ATT.Pn nESCRIP'' 'Tn« OF THE PPFFfRREP BWOpff<P<T? 
Referring now to the drawings, wherein like reference 
numerals designate identical or corresponding parts throughout 
the several views. Figure lA is a view showing a first 
embodiment of a smart card 2 utilized according to the present 
invention. Smart card 2 includes a picture 4 and a smart card 
chip a. with the smart card chip 8 containing plural leads 5. 
A second embodiment of a smart card 2 is shown in Figure IB, 
in which picture 4 is also available and a different smart 
card chip 6 is present on the front face of the smart card 2, 
again with plural leads. 5. The position of the leads is set 
forth in ISO 7186-2. In both the smart card of Figures lA and 
IB, a magnetic strip 10 is attached to the back face of the 
smart card 2. The smart card can therefore be used for 
identification as well as information storage. For example, 
the smart card can be used to prove identity when making 
credit card purchases. The picture 4 is used in combination 
with information stored on the magnetic strip or smart card 
chip about what credit cards a person is authorized to use. 
Furthermore, in a preferred embodiment, the picture 4 is 
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printed directly onto the smart cards to prevent someone from 
removing a laminated picture, adding a new picture in the 
place of the original picture and relaminating the smart dard. 
in order to protect customers from fraudulent use of their 
credit cards, parts of customers' credit card numbers are 
stored on the smart card or magnetic strip. For example, in 
the case of a customer with a credit card number "123-456-789- 
0,- on the smart card would be stored -235689" which is a 
portion of the whole number. When purchases are made, 
retailers could automatically cross-check credit cards with 
smart cards by reading the partial number from the smart card 
or magnetic strip, then swiping the credit card as normally 
occurs. If the credit card number does not match pne of the 
partial numbers on the smart card, authorization is 
automatically denied, thereby protecting against unauthorized 
use. Furthermore, by only storing a portion of the credit 
card number on the smart card, the full credit card number is 
not coi^romised if the smart card is lost. 

in general, the smart card 2 is used in conjunction with 
a computer system 20 which is attached to a double smart card 
reader 38 or a pair of single smart card readers 39. Computer 
system 20 comprises a motherboard 22, a central processing 
unit 24 (i.e., Intel 80x86, Motorola 680x0, PowerPC, Sparc, 
DEC Alpha), and memory 26. The computer system further 
includes programs on a high capacity fixed storage devix:e 
(i.e., SCSI or IDE devices) 28 t-or manipulating the smart 
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cards. Additional removable storage media devices 30 provide 
a »cans for updating the programs stored on the high capacity 
fixed storage device 28 and the smart card 2. Further, a 
network adaptor 31 provides another means for updating • 
program and the smart card 2. The monitor 32 provides a 
.ethod for interactively updating the information stored on a 

card. While input devices (keyboard 34 and mouse 36) 
provide a means for entering data to be stored on the smart 
card 2. The smart card 2 is read by either a double smart 
card reader 38 or by plural single smart card readers 39. A 
generic smart card reader. GCR500, is available from Gemplus 
ana can be used to read and write data stored on a smart card 
2, Bull also makes a smart card reader/writer unit named the 
CPS. in addition, the magnetic strip on the back of the smart 
card can be read by a magnetic strip reader 37. It is also 
possible for either of the smart card readers (38 and 39) to 
be equipped with a magnetic strip reader to provide a combxned 
magnetic strip and smart card reader. These smart card 
readers (38 and 39) can also be housed in the computer system 
20. 

The programs stored on high capacity fixed storage device 
28 include a series of programs which allow data to be read 
from or written to the smart card 2 according to the types of 
accesses allowed by the reader or writer. In addition to 
information to be stored to the smart card according to the 
present invention, data is also written at the manufacturing 
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Stage and at a. custoniration phase. During these phases, a 
unique ID for the card, a -anufacturer's ID, a manufacturing 
date and other information is stored permanently and may not 

be modified. 

Figure 3 shwrs part of a representative set of 
information 4b to be stored on a smart card 2 by the present 
invention. This information 40 is split into several 
segments, with access to individual segments being controlled 
by the rights of the requestor. The personality information 
41 contains the general information about the ovmer of a smart 
card and is written to a blank smart card 2 during a 
customization process. A user's family name, first name, 
address, country of citizenship, country of residence, 
birthdate, language, place of birth, social security nu.b«r, 
height and sex are all permanently associated with the c«d 
during the customization process. A card owner's phone 
m«ber, driver's license number, issuing country, license 
expiration date, auto insurance carrier, policy number, 
profession, emergency contact, second emergency contact, 
religion and city in which his/her visa was issued are shown 
as representative of the type of information that can be 
generally stored about a user which may change and therefore 

may need to be updated* 

Medical information 42 includes more specific information, 
about a card's owner which is independently protected from 
other personal information 41. B»e medical information 
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includes, but is not limited to, an attending doctor's na»e, 
phone numbers (both office and emergency) , fax number, time, 
jone and, native language, along with a person's medical 
insurance information (i.e., policy number and co-insurance 
company). The information about a user's attending physician 
can be used to contact the attending physician in case of an 
emergency. The information allows the physician to be 
automatically dialed by emergency medical professionals or 
other medical professionals to receive additional information 
about a patient in need of care. By storing both a phone 
number for use during normal office hours and an emergency or 
pager number, a patient's attending physician can always be 
contacted. In an automatic dialing system using the smart 
card 2, the emergency /pager number is automatically dialed 
after receiving no answer at the office number. The caller 
and the attending physician may also be directly connected by 
computer where the computer system of the caller and the 
computer system of the attending physician are connected by 
the automatic dialing system. By connecting the computers,- 
additional information (including a more extensive medial 
history, x-rays, test results, etc.) can quickly be 
transferred to the caller. 

Medical information 46 may be stored as either text or as 
medical codes/numbers designating, e.g., symptoms or diagnoses 
describing a patient's condition. By using a medical code 
system, -ore information can be stored on the same card. By 
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„edical codes, it should be understood that nu»bers, letters 
or a mixture can be used to represent a standardized 
condition. For example, "HI- is used to represent a failing 
heart valve, -H2- is use to represent the presence of a pace 
«J.er, -Al- is used to represent an allergy to penicillin, 
etc. 

Furthermore, business, airline and service provider 
(hotel, car. immigration) information 43 can be stored as an 
addition to the updatable part of the general information 41. 

Medical and general information is also stored on a 
second smart card 2, belonging to a medical professional. 
According to the type of medical professional whose card is 
»,eing programmed, in addition to the general and medical 
information of the medical professional, a means for 
identifying the type of smart card is also stored on the smart 
card 2 of the medical professional. Optionally, a medical 
professional password is also stored on the smart card 2 of 
the medical professional. 

After the information of Figure 3 is initially programmed 
onto a smart card in the respective information positions with 
their respective security, the information may be needed and 
recalled in various medical (i.e., during doctor visits, or in 
emergency medical situations) and non-medical (i.e.. 
iBBigration, hotel registration, car rental) situations. For 
simplicity, the examples given below will be described using a 
user's/patient's smart card in a first smart card reader 39 
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and a doctor's saart card in a second smart card reader 39, 
although the method works equally well with the 
user's/patient's smart card being inserted into a first slot 
in a double smart card reader 38 and the doctor's smart card 
being inserted into a second slot of the double smart card 
reader 38. 

AS shown in Figure 4, a doctor uses a computer system to 
access medical information 46, by inserting a patient's smart 
card into a first of two smart card readers 39. The doctor's 
smart card 2 then is inserted into a second smart card 
reader 39. Having detected the presence of a smart card 2 in 
the second smart card reader, the computer system controlling 
access to the general and medical information starts the first 
step in allowing access to the medical information 46. The 
computer system determines whether the card inserted into the 
second smart card reader is a doctor's card. If the card 
inserted into the second smart card reader is not a doctor's 
card, appropriate failure processing is performed by the 
computer system (i.e., an error message is displayed, or 
audible alarm is emitted), and access to the medical 
information 46 is not provided by the computer system. 

AS an optional security measure, a second step to 
allowing access to the medical information 46 of a patient is 
performed by reading a password from the keyboard 34 to ensure 
that a doctor's lost smart card 2 cannot be used to read 
medical information 46 by un-authorized individuals. The 
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password is .uthenticacsd th. c^puter syste.. and xr the 
password .ut.««i=ation is unsuccessful, the computer syste. 
perton-s appropriate failure processin,. « the password xs 
authenticated, the co««.ter syste. provide, read and wrxte 
access to the .edical infor»tio„ 46. The «.icl inlor-ation 
4* is th«. read or written as re-r-ired by the doctor. M 
.h«m in Fi^e 5. the «dicl infor-ation « is used to checK 
blo«. types, existin, conditions, ~dical history, etc., and 
the ccputer syst«. updates the -dical infor»tion 46, 
including prescription infor«tion. a. requested by the 

m an «U«di.ent where ~dical coalitions are stored 
using a cod«i for. rather 0»« text, the computer syste. « 
also «p.iPP«. With a ~«» tor decoding the diagnosis or 
sy^o. c«.es «K. displeying infpr«tion about the conditi«. 
Which the code represents, this «.ns for decoding include. 
at least one of a textual description, an audible description 
and a visual descripti«., wherein the visual description xs 
repr«»nted with an ani«.t«J or virtual body. 

r„rther««:e. in another e-»dl«nt of the co«».ter syste- 
of the present Invention, the proarpts (us«J to din.lay or 
r«:.ive ,««r.l inf. ration and «»ilcal infor«tion fro. the 
s«u* card and provided to a co.puter display 32) are in a 
native language of choice, either according to who is using 
the dUplay or according to the language sp«!i£i.d by an 

authenticating card* 
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In the first embodiment, a non-volatile memory card is 
used to implement doctor and user/patient smart cards. 
Because these smart cards provide no automatic protection, the 
segmentation and protection of the medical information 46 from 
the general information is done by the computer system. 
First, general and medical information are written to plural 
smart cards to be used in the computer system, along with an 
indication of whether or not each card being programmed is for 
a doctor or other special function person and, if so, a 
password or Personal Identification Number (PIM) corresponding 
to the card is also optionally written. Next, first and 
second programmed smart cards are inserted into first and 
second smart card readers. If the second smart card is 
determined to be a doctor's card, then the password or PIM is 
optionally prompted to further authenticate that the person 
using the second smart card is authorized to do so. Having 
authenticated the doctor, the computer system controls the 
reading of information from the first smart card and the 
writing of medical information back to the first smart card to 
correspond to the information entered into the computer system 
using a computer entry screen comparable to Figure 5. 

In an alternate embodiment of the present invention, the 
overall security of the medical information is increased by 
encrypting the medical information using an encryption 
algorithm, preferably a symmetric algorithm (i.e.. DES) , and a 
shared key, i.e.. shar^ toy medical professionals. Before the 
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co^ufr syste. provides .cess to the .edical infor«tlon. 

Shared Key Is read tro. «. authenticated s.art card J of a. 
.edlcal professlo»X. The co-puter syste. the. would decrypt 
the i«dical data usin, the shared .ey hefore displaying the 
data on the coeputer screen, and before writln, i«dlcal 
infor-tion to the first s«rt card, the co«»ter system 
«,crypts the data entered on the co«».t«r screen by .using the 
Shared key. 

in yet: another einhodi»ent of the present invention, which 
uses 1^ cards as s«art cards, the doctor's password is 
retired and is stored on the doctor's s.art card in encrypted 
for«. TO prevent unauthorized reading of the shared Key, the 
shared key is encrypted using the doctor's password. The 
computer syste. can still authenticate the doctor's password 
by encrypting the password typed by the doctor and co.pari«g 
it with the encrypted version stored on the s»art card. The 
typed password is then used to decrypt the shared key, 
preventing the shared key fro. being compromised by reading 
from a doctor's lost memory-based smart card, in this 
«»bodi»ent, when a doctor changes his password, both the 
stored, encrypted password and the encrypted shared key must 
be updated. 

in a further embodiment of the present invention, which 
uses memory cards as smart cards, the doctor's password is 
required and stored on the smart card in encrypted form and 
the means far indicating that the smart card is a doctor's 
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card and shared key are encrypted using the plain text version 
of the doctor's password, then stored on the s»art card. 

in another eabodiaent of the present invention in which a 
Bicroprocessor-based smart card is used, a smart card is 
programed with medical information 46 stored in one area of 
the smart card containing one set of access rights, and the 
general information is stored in a separate area of the smart 
card with a different set of access rights. Furthermore, an 
indication of the type (i.e., doctor's, pharmacist's, 
emergency professional's) of the smart card is stored in an 
area that either cannot be directly read or cannot be 
«odif led. The smart card controls enforcing the rights to the 
information. 

When a second smart card is inserted into the second 
smart card reader, the computer system sends a command to 
authenticate that the second smart card is a doctor card. If 
the second smart card determines that it is not a doctor's 
card, appropriate error processing is performed. If the 
second smart card determines that it is a doctor's card, then 
the computer system waits for the doctor to type a password. 
This password is sent to the second smart card to authenticate 
that it matches the internally stored password. If the 
password is authenticated, then a protected area in the second 
smart card is made readable and a PIH is read from the 
protected area of the second smart card. This PIN is written 
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to th. first s«rt card to allow read and writ, access to th. 

medical information. 

in the case of a password mismatch, the second smart bard 
can be used to monitor the number of password mismatches to 
see if a doctor's password is being guessed at or -hacked.- 
By having set at <:usto»ization a maximum number of allowable 
mismatches, the second smart card can disable itself when the 
^.ximum number of wrong guesses occurs. This provides a 
definite advantage over storing an encrypted password on a 
.^ry card. The encrypted password could be read by a 
hacKer. and attacked by using several known techniques (i.e.. 
dictionary attack, brute force, random guessing) until a 
guessed password matches the encrypted password stored on the 
card. The password, having been compromised, could then be 
used to determine they key or PIH used to access the medical 
information stored on the first smart card. 

m a further embodiment of the present invention using 
microprocessor smart cards, as shown in Figure 7. the process 
of encrypting medical information to be stored on the first 
smart card and decrypting medical information read from the 
first smart card is performed internally in the second smart 
card. The second smart card is first authenticated as 
described above, medical data is then read from the first card 
in blocks and sent to the second smart card, and the second 
smart card sends back the decrypted medical data. The process 
is performed in reverse when storing information back to the 
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first siaart <:ard. Information to be encrypted is sent in 
blocks from the computer system to the second smart card, 
encrypted, read out of the second smart card and written back 

to the first smart card. 

Obviously, a computer system could support any of the 
above embodiments or a combination of embodiments where the 
computer system automatically determines the type of each 
smart card and the processing required to authenticate the 
doctor's card and read and write the user's card. However, a 
presently preferred embodiment utilizes microprocessor based 
^ cards with multiple protectable areas with multiple sets 

of access rights or areas. 

AS Shown in Figures 6A-6C, the access rights for separate 
areas can be established in several ways. In the figures, 
access permissions are given by "R- for read, "W" for write, 
-C- clear and -D" for decrement, as in refill numbers for 
prescription information. For PIM columns with an entry 
indicated by -0-, no PIH is required for the shown type of 
access. Figure 6A shows that a fixed number of entries are 
used to define rights for a single area per entry based on 
PUIS, using this configuration, access permissions may be 
distributed according to what PIHs need access to what areas 
without presetting a number of PINs that can be assigned to 
any given area. Any PIN not in the list only allows access to 
the areas with a "O- PIH, and any PIH not associated with all 

vk« AT-eas with a "0* PIH and the 
areas only allows access to the areas wiTin a 
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areas for which a matching PIH exists. However, this requires 
storing an additional piece of information per entry, i.e., 

the area identifier. 

Figure 6B depicts an arrangement which avoids the need to 
store an area identifier per entry, by fixing the number of 
PIHs per area and a search for valid PIHs for a given area can 
be performed by Knowing the number of PIHs per area. However, 
this configuration is more restrictive than the configuration 
of Figure 6A. For area 1. only one entry is needed because 
read access is always provided and no other rights are 
assigned to area 1. Therefore, all other associated entries 

for area l are wasted. 

A third configuration combines 6A and 6B and uses a map 
of all areas and the access rights allowed to each area based 
on the PIHs specified in the first column. This configuration 
is advantageous in cases where different rights for many 
different areas are assigned to each PIH. 

AS an illustrative example of how these access controls 
can be utilized, the division of information the smart card 
will be referenced with respect to Figures 6A-6C. The first 
area, area 1, is used as the general information area and is 
assigned with a PIH number -0" which represents that all users 
have the access rights shown for area 1. As the rights for 
area 1 are indicated by an »R". area 1 only may be read by all 
users. However, area 2 is used as the area in which medical 
information is stored, and access to this area is restricted 
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. ^- , ^^fny This PIN code, "WSAi* 
until after authenticating a doctor. 

is then read fro. a protected area of the second s«.rt card 
and the PIH is then written to the patient's snart card, 
unlocking area 2. Because the PIH -1234- provides read, write 
and clear access, an authenticated doctor can perform any of 
these operations on the .edical data. As shown in Figure 6B, 
area 1 has a single PIH of -0- allowing read access hy all 
users. Further below. PIH -1234- is provided in area 1 and 
allows read, write and clear access by a doctor. As shown in 
Figure 6C. PIH -0- allows read access to all users for area 1. 
While PIH -1234- allows read access to area 1 and read, write 

and clear access for area 2. 

X„ Of tte .bov. «.bodi«nts. .=.«. ri,ht. hive b»n 

^ to partition th. ,.«r.l infor-atlon fro. the «dioel 
infor«tio„ hesea on **ther . s«rt =«a had doctor's rl,ht.. 
„ edditionei level of rl*.t. I. 1" «-»<ii«nt 

of the present invention vh«r.ln . ph.r«ci.t i. ,!«» r.«i 
ecc... but not -rite access, to the prescription portion of 
the «dical lnfor«tlon so that the phar«icist can fill 
pr«>crlptions vrltten hy a doctor that stored on . s«rt 
card. Ho~v»:. In this ei*odl«»t. th. phar«cist is blocked 
f.o. readin, or -rltin, the rest of th. -dical Infomatlon. 
I„ an ..*odi«.nt osln, no encryption on a «-ory-based s«rt 
card. th. coi^t.r s,.t«. «>for»s the protection by only 
readln, and displaying pr.scriptlon information fro. th. 
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medical information and not allowing writing to the 
prescription infomation. 

In a me»ory-based smart card enbodiinent where encryption 
is used, the computer system encrypts the prescription portion 
of the medical information shared by pharmacists and doctors, 
and encrypts the rest of the medical information using a 
shared key for doctors that is not toiown to pharmacists. 
Furthermore, all the methods used to encrypt neans for 
identifying doctor cards and doctor passwords are also 
applicable to encrypting the means for identifying pharmacist 
cards and passwords. 

Additionally, the pharmacist's rights may also include 
the right to decrement the number of refills to which a 
patient is entitled. In both the method that uses no 
encryption and the method that uses encryption, because the 
computer system must be able to write/update the prescription 
information, the computer system restricts the number of 
refills of a drug is only decremented and not incremented or 
set to a new value. For added protection, in yet another 
alternate embodiment, all prescriptions written by doctors are 
electronically "signed" using an encryption algorithm, 
preferably a public key encryption algorithm, and the 
electronic "signature" is authorized before a prescription is 
filled. 

m a preferred embodiment of the present invention, 
processor-based smart cards are used to provide access control 
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to the various types of information on the smart card. 
According to Figures 6A-6C, general information is stored in 
area 1. prescription information is stored in area 3 and all 
non-prescription medical information is stored in area 2. By 
using PIH -567B,- the smart card controls enforcement of 
rights to the information, for example, such that pharmacists 
are given read, clear and decrement access to the prescription 
information without being given any permission for the rest of 
the medical information. When a second smart card is inserted 
into the second smart card reader, the computer system sends a 
cc«mand to authenticate that the second smart card is a 
pharmacist card. If the second smart card determines that it 
is not a pharmacist's card, appropriate error processing is 
performed. If the second smart card determines that it is a 
pharmacist's card, then the computer system waits for the 
^armacist to type a password. This password is sent to the 
second smart card to authenticate that it matches the 
internally stored password. If the password is authenticated, 
then a protected area in the second smart card is made 
readable and a PIH is read from the protected area of the 
second smart card. This PIH is written to the first smart 
card to allow read access to the prescription information 
without providing write access to the prescription information 
and without i>roviding read or write access to the rest of the 
medical information. 
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This access control is made possible by storing the 
prescription information in an area (area 3) separately 
protected from the rest of the medical information, which is 
in area 2. The first smart card allows direct read and write 
access to the prescription information and medical information 
when a doctor's PIN is read from the second smart card and 
written to the first smart card, but only allows direct read 
access to the prescription information and no access to the 
rest of the medical information area when a pharmacist's PIM 
is read from the second smart card and written to the first 
smart card. Additionally, erase and decrement functions for 
prescription information on the first smart card are performed 
by sending either the doctor's or the pharmacist's PIM to the 
first smart card, and then sending a command to erase 
prescription information or decrement the number of available 
refills. Since the microprocessor in the first smart card 
performs these functions, unauthorized writing or refilling of 
prescription information is prevented. 

Because the blood type, medical alert and medication 
information is also often required by emergency personnel, a 
portion of medical information 46 is available by using an 
emergency service's smart card. Providing access to part, but 
not all, of the medical information is provided by methods 
analogous to providing access to prescription information *»y 
pharmacists without providing access to all medical 
information. In this embodiment of the present invention. 



WO97/Xt092 



^T/USMa9418 



-26- 



general information is stored in area 1. prescription 
information is stored in area 3 and medical information 
required by emergency personnel is stored in area 4. All 
remaining medical information is stored in area 2 and the 
access rights in Figure 6A.6B are assigned to the areas. 
Again, a doctor's card uses Pl« -1234," a pharmacist's card 
uses PIN -5678- and medical emergency personnel's card uses 
PIH -0911.- This provides a doctor with read and write access 
to all medical information areas while allowing a pharmacist 
read, clear and decrement privileges for the prescription 
information but no further access rights to any other parts of 
the medical information. Emergency medical professionals' 
cards use PIN -0911- and are allowed read access to the 
prescription information in area 3 and the medical alert 
information in area 4. Availability of this information is 
very helpful in cases where an accident victim is unconscious 
or does not have an adequate command of the language used by 
the emergency medical professionals. 

The segmented general and medical information is also 
used in alternate embodiments of the present invention to aid 
in providing parts of the general information to police, 
insurance and other service providers, banks, immigrations and 
customs, hotel, automotive, etc., while protecting service 
specific information from other unauthorized service 
providers. Figure 8 shows a computer screen utilizing a 
portion of using parts of the general information 41, wherein 
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th general iufonnation is used in completing an immigration 
application. Immigration information 49 contains a subset of " 
the general information 41 stored on the smart card 2. 
Furthermore, the immigration access optionally allows the 
address 50 in the visited country (e.g.. United States) and 
the information for immigration 51 (i.e., date of departure) 
to be read and updated by authorized immigration personnel. 
Although not shown, visa type is also recordable on the smart 
card, for example, to reflect the length of stay allowed in a 
country being visited. At departure, the date and time of 
arrival can be read fro. the smart card to automatically 
generate an embarkment card or any other immigration papers 
required upon entering/ exiting a country. Furthermore, the 
identity of the departing individual can be recorded and 
uploaded to an immigration computer or a central immigration 
computer to trade visitors to the country. Additionally, 
using a double key system, as was used for pharmacists, 
doctors, etc.. every entry and exit to a country can be 
recorded on the smart card. 

Figure 9 shows a computer screen associated with using 
portions of the general information 41 to speed the 
registration process at a hotel. By reading parts of the 
general information 41, while blocking reading of the medical 
information 42, a hotel can more accurately register guests. 
However, a user may optionally erase its own hotel information 
using a PIN before checking into a new hotel to prevent one 
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fr«. l..rnin, cth.r *ot.l. .t -hlch the user stays. 
P.rt of this hotel inlo™.tlon ..y be read by t«tU 

other professlo«l drivers to e»hle people with . poor 
cc-.nd of . l.n,«,e to indict, -here they wish to b. teken. 

*^ frrsm readinq the hotel room number. 
Taxis would be prevented from reaaxng w» 

. . „ .*.«.oot. address of the hotel 
although they would be given the street ador 

^ optionally directions to the hotel. This infor«ti». 
is evallable to police and e«r,ency professionals in order to 

^ ,ie«r's family in case of 
be able to contact other members of a user s fam y 

an accident. 

» similar process can be p.rfor«d for other service 
industries, such as car rentals sh«n. In Figure 1.. by re^iln, 
a portion of the ,««r.l infor«tlon 41 fro. the .«rt card 
^ applying it to a car rental registration te«.late S*. 

Pt^es 11» and XIB Sho- an overall set of representative 
Of infor^tion to be etor«. ». « s~rt card, the type of 

professional that is allo-d access to each type of 

, ^r^Ms to the available types 

information, and »hat types of access to 

of inforwition each professional is peraitted. 

„^e 12 Shows another us. of the co«.ination s«u:t card 
^ .agnatic card of the present invention. Because this card 
is envisioned to be used by people who do not possess a strong 
co-and of a language of the country in which they are 
visiting, a coi^ination phone and s«rt card/»gnetic strip 
coi-.in.s th. inf.r«tion stor«. on th. ..gnetic strip/s«rt 
card with auto»tic dialing and caller identification. 
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^„en=y -ealcal professionals can therefore be dispatched 
directly to a telephone used to call in an .«r,ency, and the 
professionals dispatch*, are sent hased o„ the infor»tion 
r.«. fro. the card (i.e.. based on langu.,.. age, 
condition of the oroer of the s»rt card) . 

Obviously, nu..rous «Hlif ications and variations of the 
present invention are possible In li,ht of the above 
teachings. It is therefore to be understood that within the 
,eop. Of the appended clai.», the Invention «y be practical 
oth«wi.e th«. a. sp«:ifically describe! herein. 
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CLAIHS: 



1. A method for restricting access to information stored 
on a first smart card by verifying authorization to access the 
information using a second smart card, comprising the steps 
of: 

i«.erting a first smart card into a first smart card 
reader, the first smart card comprising first and second, 
information areas, wherein access to the second information 

area is restricted; 

inserting a second smart card into a second smart card 
reader, the second smart card comprising a means readable by 
the second smart card reader for determining a type of the 

second smart card; 

reading the type of the second smart card using the 

second smart card reader; 

verifying that the second smart card is authorized to 
access the second information area of the first smart card; 

blocking access to the second information area of the 
first smart card if the verifying step indicates that the 
second smart card is not authorized to access the second 
information area of the first smart card; and 

providing access to the second information area of the 
first smart card if the verifying step indicates that the 
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second s»art <:ard is authorized to access t*.e second 
in£on»ation area of the first snart card. 

2. The method according to. Claim 1, further comprising: 
programming the first smart card with general information 

in the first information area and medical information in the 
second information area? and 

programming the second smart card with the type of the 

second smart card. 

3. The method according to Claim 2, wherein the step of 

programming the first smart card comprises: 

programming the first information area of a «e»ory-based 
^ card with general information in unencrypted form; and 

programming the second information area with medical 
information in encrypted form. 

4. The method according to Claim 3, wherein the step of 
programming the second information area in encrypted form 
comprises : 

programming the second information area with medical 
information encrypted using DES. 

5. The method according to Claim 4. comprising the step 

programming the second smart card with DES Key used to 
encrypt the medical information on the first smart card. 

6. The method according to Claim 2. wherein the step of 
programming the first smart card comprises: 
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pro,r«»i»g . .icroproc.«.r-b«,«i 5««rt c«d with 
,.„erai in£o™tlon in tb. flt.t infot«tlon ««! 

„.i,niM access rights to «« «r,t infection so 
th.t th. first infor-tion «r.. .is read-only at .11 ti»«; 

pro,r.»in, th. s«»nd infor»tion ar« with «dical 

information; and 

assigning accas. rights to the second infor^tion ar» so 
ttot a PIH is r«p.ir«. to be sent to th. first s«rt card to 
.ec». infor»tion stor- in the sscond infomation .r.a of 

the first smart card. 

Th. -thod according to Clai. 2. £»rth«: co.prisu«: 
pro,ra»in, the s«ond s«rt card -ith a pa.«ord to 

authMrtieat. M. of th. second snart card. 

a.- «.K» riaim 7. wherein "the step 
8. The method according to the Claim 7, 

of programming a password comprises: 

a.*. smart card with an encrypted 

programming the second smarr: cb*» 

password. 

, The ~thod according to claU 7. wherein th. st.p of 
verifying that th. ..cond s-rt card is authorize, to .cc«s 
the s«»nd inforMtion arM co»|>rises: 

co««rin, th. typ. of th. s«rt card read using 

the second soart card r..d.r with a stor«l typ. of s-rt card 
*ich is authorize, to access th. .«ond in£or«tion of th. 

first smart card; 

denying acces. to th. .eco«i infor«tion area of th. 
arst s«rt car^ If th. co««ri« step indicate, that the type 
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„^ uo. U,. s.co„a ca^ -aer and t.e .n=w„ typ. .re 

equal; 

reading a pa.s»ord trom a keyboard: 

ccpari.^ the password read fro. the Keyboard with the 
password stored on the second s«rt card, and 

indicating that the second snart card is not authorxsed 
„ ace... the s.co», in.or«ti«- of the first s«rt card when 
the passwords are not equal. 

to Claim B, wherein the step of 
10. The method according to ciaxm , 

«^ card is authorized to access 

verifying that the second smart cara xs 

the second information area comprises: 

comparing the type of the second smart card read usxng 
the second smart card reader with a stored type of smart card 
wnich is authorized to access the second information of the 

first snart card; 

d»fl,in, access to the second lnfor«tion are. of th. 
„rst s«rt card if the cosparin, step indicates that the type 

•4- ^r-A reader and the known type arc 
read from the second smart card reaaer an 

eq[aal; 

reading a password from a keyboards- 
comparing the password read from the Keyboard with the 

password stored on the second smart card; and 

indicating that the second smart card is not authorized 

to access the second information of the first smart card when 

the passwords are not equal. 
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«^ry^i«, pass-oro read fro. t^e Kayboard to 

an aneryptad kayboard password; and 
coaparin, th. .ncrypt«i Kayboard password -Itn tn. 
.^ed password stor«. on tha sacond s»rt card. 

- ». «. Clai. 2, wharein the stop of 
12. me Mthod according to ciaui . 

_^ „ttn aedical Information in 

pro9ra-iidng the first snart c«rd with . 

the second infor«tion area co«»ri»es: 

pro,ra«in, tn. ^icaX infor-tion asin, «dx=ai codas. 

L . coaputer-i^pxa.-^ ~tnod of a»t.orizin, tba us. 
„. . cr«.it card based on infor-tion stored on a s«rt card 
containing a -,netic strip, coeprisin, tba step, of: 

«orin, a portion of a credit card n».ber to a saart 



card; 



...din, -Sin, a sales ter-inal tb. portion of tbe credit 
crd minber stor«i to the snart card; 

re«ttn, a full credit card nunber f r» a strip 

on a credit card; 

eoaparin, the full credit card nunber to the portion 
the credit card nu-«: stored to the s«rt card; 

, .^K. credit card if the conparxn, step 
aenyin, the use of the creoir cau 

iMicate. that th. nu-b^s are not rolated; and 

..thoririn, the use of the credit crd if the co^parxn, 
«ep indicate, that the nu-ber. are related. 
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i4 A cc««puter-i»ple«ented method of contacting 
emergency professionals by phone, co.prisin, the steps of: 

inserting a s,.art card with a magnetic strip into a 
reader in a telephone; 

4.^^^ on the smart card using the 
reading information stored on the smain. 



reader; 



«>.<.{nn»i« automatically using the 
dialing emergency professionals auroma 

telephone ; 

tr««l«ln9 the infor^tion read fro. th. o«d 
„i„, th. «ro. th. t.l.p..n. « a central diapacC 

unit; and 

dispatching .-r,««y profe^lonaX. on the 

in«o™.tion trans.itt«. to tb. c«,tral dispatch unit. 
15 The nethod accordlnq to clain 12, 
wherain the step of txans-ittin, the infection read 
the -art card cpri... transnitttn, a native language 

of an owner of the snart card; and 

Wherein the step of dlepatchln, e-ergency profeeslonals 
co.pri.es diapatching origins of professionals based on the 
«iti»e language tr.nssitted in the transmitting step. 

X.. The «.thod according to clai. 12. wherein the step 
of reading information stored on the s«rt card using the 

reader co»prises: 

reading lnfor«tion stored on a chip on the ssart card 

using a ssart card reader. 
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17. The -ethod according to Clai» 12, wherein the step 
of reading information stored on the smart card using the 

reader comprises: 

reading information stored on the magnetic strip of the 
smart card using a magnetic strip reader. 
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